Leon Ward, VP of Product Management at ThreatQuotient, tells Anita Joseph that data-driven automation provides an approach that is better suited for automated detection and response than the traditional process-centric implementations.
ThreatQuotient has consistently been at the forefront of innovating and delivering what the SOC of the future needs. Tell us all about it.
The SOC of the future is built on data, and teams have never had greater access to it. While the data available from the various technologies, threat feeds, and other 3rd party sources is essential for threat detection and response, teams can quickly become overwhelmed by the volume of data, if care is not taken to properly manage it. ThreatQuotient has lived deep in this world of diverse security data, helping our customers manage this challenge, by improving their ability to understand and respond to threats by integrating their defences and processes at a data level, rather than at just a process level.
You recently announced V5 of the ThreatQ platform. What are the new additions/feature enhancements?
There are three main areas of enhancement. Firstly, Updates to the DataLinq Engine. DataLinq is at the core of everything ThreatQ does, it performs the processes of ingest, Normalisation, Correlation, Prioritisation, and Translation of data. It does this so it can better connect those valuable dots that exist in your existing security data stores, and also between them. In version 5 (V5) specifically, our customers will notice a marked acceleration of how quickly data appears in the Threat Library, along with improved handling of object modification timestamps. This improvement has been achieved though large changes in our approach to storing and processing data in the back-end. In addition to these brand new back-end changes, we’re announcing some capabilities that we actually made available to our users over recent months. Smart collections is our new approach to allowing customers to define reusable sets of data across different use cases, from choosing what information is best reflected in a dashboard, identifying the correct threat indicators to operationalize, to building lists of prioritised events, Smart Collections will be the one-stop interface. Lastly, our ThreatQ Data Exchange module (TQX) is updated to allow better control and inclusion of related intelligence data.
A lot is being said about data-driven security. What are the advantages of this approach?
We’re big proponents of data-driven automation here at ThreatQuotient, most importantly because it provides an approach that is better suited for automated detection and response than the traditional process-centric implementations.
If you think of how automation tools have evolved through different use cases it’s easy to understand how we got to the process driven approach. Think about the automation needs that have existed for IT or cloud system provisioning, or the QA (quality assurance) automation needs where a process is built to accelerate a series of the same tests or actions in a product or code. These automation needs have something in common, they know what they need to achieve when they start the process. This is not the same for security investigation and analysis processes, you never know where an investigation will take you before you start it. It turns out that the difference is fundamental.
This key difference of not knowing your target outcome when you start means a system has to learn as it performs its actions, generating a feedback loop to better guide execution. This is the foundation of what we call data-driven automation.
How, in your opinion, is the cybersecurity landscape shaping up in 2022? What are the main trends?
We’re seeing security operations technologies continue down on their convergence path, and automation has become a critical component within any scalable security strategy for good reason; Security teams are under constant pressure to do more. It’s widely accepted that detection and response times are too high, and with the clear lack of available cybersecurity skills in the workforce, it’s impossible to simply throw more manpower at the problem.
Automation of traditionally manual processes is seen as a way to unburden people from actions that may be considered a bad use of their time. If you’re looking for proof of this, just look at our QA automation team here at ThreatQuotient. When it comes to the SoC and security operations, why have people clicking buttons, copy pasting information between products, and performing other mundane tasks that don’t leverage the security domain knowledge that they’ve been hired for.
What will the focus of your security strategy be, this year?
This is lining up to be a busy year for all of us here at ThreatQuotient! Our product strategy for 2022 is to continue on the path that we’ve started on with ThreatQuotient v5, and bring to market an innovative user experience for our customers to leverage our approach to automation. We’ve built out a lot of the data foundations for our vision already, and we’re excited to close the loop by releasing the new user experience elements to disrupt how complex, or rather simple, data-driven automation can be.
